Obfuscated Files or Information: Indicator Removal from Tools

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target's defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

ID: T1027.005
Sub-technique of:  T1027
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Defense Bypassed: Anti-virus, Host intrusion prevention systems, Log analysis, Signature-based detection
Version: 1.1
Created: 19 March 2020
Last Modified: 28 April 2022

Procedure Examples

ID Name Description
G0022 APT3

APT3 has been known to remove indicators of compromise from tools.[1]

S0154 Cobalt Strike

Cobalt Strike includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods.[2][3]

S0187 Daserf

Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.[4]

G0009 Deep Panda

Deep Panda has updated and modified its malware, resulting in different hash values that evade detection.[5]

G0093 GALLIUM

GALLIUM ensured each payload had a unique hash, including by using different types of packers.[6]

S0237 GravityRAT

The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.[7]

S0260 InvisiMole

InvisiMole has undergone regular technical improvements in an attempt to evade detection.[8]

G0049 OilRig

OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.[9][10]

C0014 Operation Wocao

During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.[11]

G0040 Patchwork

Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.[12]

S0587 Penquin

Penquin can remove strings from binaries.[13]

S0194 PowerSploit

PowerSploit's Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.[14][15]

S0650 QakBot

QakBot can make small changes to itself in order to change its checksum and hash value.[16][17]

S0559 SUNBURST

SUNBURST source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to SUNSPOT.[18]

G0088 TEMP.Veles

TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.[19]

G0010 Turla

Based on comparison of Gazer versions, Turla made an effort to obfuscate strings in the malware that could be used as IoCs, including the mutex name and named pipe.[20]

S0579 Waterbear

Waterbear can scramble functions not to be executed again with random values.[21]

Mitigations

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.

Detection

ID Data Source Data Component Detects
DS0015 Application Log Application Log Content

The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

References